Our site uses cookies to improve your experience of certain areas of the site and to allow the use of specific functionality like social media page sharing. You may delete and block all cookies from this site, but as a result parts of the site may not work as intended. By clicking any link on this page you are giving your consent.

News

What is a watering hole attack?

Watering hole attacks, also known as strategic website compromise attacks, target a particular group of victims by creating a sham website or compromising the legitimate websites they visit.

Criminals first build up a profile of their intended victims, such as employees of corporates or government agencies, identifying popular or niche websites they visit.

Then, much like watering holes in nature, the hackers lurk in wait to snag their prey. They do this by using vulnerabilities in the malware, malicious script or code to redirect the target to a separate site that infects the target with injected malware. Once a visitor to the website is infected, the malware gives hackers access to their network, enabling them to steal sensitive data or take control of IT systems.

Watering hole attacks are more sophisticated than common spear-phishing attacks and are usually associated with advanced persistent threat (APT) groups.

Watering hole tactics can be combined with spear phishing, malware, and domain hijackings. They tend to target specific industries or groups with the aim of stealing valuable data, such as trade secrets or research. The attack method, however, is also used by cyber criminals to compromise popular consumer websites for financial gain or to build botnet armies.

Why does it matter?

Watering hole attacks pose a significant threat, as they are difficult to detect and typically target high-security organisations through their low-security employees, vendors or an unsecured wireless network. As already mentioned, they have been increasingly used by APT groups to access the networks of large companies and government agencies or political groups.

In 2014, a watering hole attack on US news site Forbes.com, which exploited vulnerabilities in Adobe Flash and Microsoft’s Internet Explorer browser, is thought to have resulted in further attacks against US defence contractors and financial services companies. The attacks were believed to be the work of Chinese state espionage organisations, according to cyber security services company iSight.

ESET cyber security researchers recently discovered a new watering hole campaign targeting several websites in Southeast Asia by cyber espionage group OceanLotus. The campaign was large scale, involving at least 21 compromised websites, including the Ministry of Defence in Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper or blog websites.

Earlier in 2018, researchers at Morphisec uncovered a watering hole attack on leading Hong Kong Telecom website. More recently, Australian foreign affairs think tank, the Lowy Institute, was the subject of a watering hole attack from China. The attack appears to mirror a Chinese campaign against think tanks in the United States.

A watering hole attack was used by Chinese hackers to steal intellectual property and industrial trade secrets from US aerospace contractors. In October 2018, US federal prosecutors accused Chinese government intelligence officers of repeated computer intrusions to steal turbofan jet engine designs.

The hackers created a domain name that resembled the target company, Capstone Turbines, site. These organisations subsequently made related organisations mistakenly visit the false site infected with malware that made their own networks vulnerable.

YOU MAY ALSO BE INTERESTED IN

Jardine Lloyd Thompson Group plc

Jardine Lloyd Thompson Group plc, incorporated and registered in England and Wales. Registered Office at The St Botolph Building, 138 Houndsditch, London, EC3A 7AW. Registered number 1679424. Jardine Lloyd Thompson Group plc is a holding company, some of whose subsidiaries are authorised and regulated by the Financial Conduct Authority.